OpenSSL server sending certificate chain(inc. root cert) during handshake

[Jason Schultz]

I believe this behavior is common among all supported versions of OpenSSL, but most of my testing has been with OpenSSL 1.0.2, the latest LTS release.

My application using OpenSSL is acting as a server. I have a server certificate configured that has been signed by a self-signed/root certificate, so the chain is only the server certificate and the root certificate. The certificates were created using OpenSSL, for non-production use only. The server application is calling SSL_CTX_use_certificate_file() to load the server cert, residing in /etc/ssl/certs.

Depending on what's in /etc/ssl/certs, the handshake behavior will show 1 of 2 things:


  1.  If only the server certificate (and NOT the self-signed root cert) is in /etc/ssl/certs/, only the server certificate will be presented in the handshake.
  2.  If the server AND self-signed root certificates are in /etc/ssl/certs/, the entire chain will be presented during the handshake.

My questions deal with #2: Why does OpenSSL include the root cert in the certificate chain? Will the root cert be included in the chain any time it's in the same directory as the server cert? Is there a way, via API call, configuration, etc, to force OpenSSL to NOT send the root certificate as part of the chain in this case? Or is there something more basic I'm missing? Googling for answers has not proved fruitful as there are a lot of results, none of which pertain to my situation...although my google fu may be lacking.

Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190531/299ac48e/attachment.html>